Transparent Botnet Control for Smartphones over SMS. Georgia Weidman

Transcription

1 Transparent Botnet Control for Smartphones over SMS Georgia Weidman

2 Why Smartphone Botnets? Nearly 62 million smartphones sold in Q Development is similar to standard platforms Android = Linux iphone = OSX Windows Mobile = Windows Technical specs not as good as top of the line desktops. They are as good as the desktops you might have at work.

3 Why SMS C&C? Battery Management Fault Tolerant Always On Difficult for security researchers to monitor

4 How an SMS is sent and received

5 How an SMS is sent and received

6 How an SMS is sent and received

7 How an SMS is sent and received

8 Previous Work: SMS Fuzzing At Blackhat 2009, Charlie Miller & Collin Mulliner proxied the application layer and modem to crash smartphones with SMS.

9

10

11

12

13

14

15

16 Master Bot

17 Master Bot Handled by botherders Switched out regularly to avoid detection Prepay SIM Cards + Kleptomania Sends instructions to Sentinel Bots In charge of bot structure

18 Sentinel Bots

19 Sentinel Bots Several trustworthy long infected bots Receive instructions from master bot Pass on instructions to a set of slave bots

20 Slave Bots

21 Slave Bots Receive instructions from sentinel bots Carry out botnet payload functionality (DDOS, SPAM, etc.)

22 Robustness Master Bot: May change device, platform, SIM at will Prepaid phones are difficult to track Has knowledge of all active bots Sentinel Bots: Reserved for long time bots The only bots that interact directly with the master Master may promote any slave when needed Slave Bots: A compromise results in at most finding the identity of a single sentinel

23 Security Concerns Impersonation: Use cryptographic keys to authenticate master bot and sentinel bots Replay: SMS timestamps Sequence number One time keys

24 SMS-Deliver PDU F1040B F A0AE8329BFD4697D9EC37 Field Value Length of SMSC 07 Type of Address (SMSC) 91 Service Center Address (SMSC) F1 SMS Deliver Info 04 Length of Sender Number 0B Type of Sender Number 91 Sender Number F1 Protocol Identifier 00 Data Coding Scheme 00 Time Stamp A User Data Length 0A User Data E8 32 9B FD D9 EC 37

25 SMS-Deliver PDU F1040B F A0AE8329BFD4697D9EC37 Field Length of SMSC 07 Type of Address (SMSC) 91 Service Center Address (SMSC) SMS Deliver Info 04 Length of Sender Number F1 0B Type of Sender Number 91 Sender Number Protocol Identifier 00 Data Coding Scheme 00 Time Stamp User Data Length F1 Value A User Data E8 32 9B FD D9 EC 37 0A

26 How It Works 1. Bot Receives Message 2. Bot Decodes User Data 3. Bot Checks for Bot Key 4. Bot Performs Payload Functionality

27 How It Works 1. Bot Receives Message Bot receives all communication from modem If SMS (code CMT) continue analysis If not SMS pass up to user space 2. Bot Decodes User Data 3. Bot Checks for Bot Key 4. Bot Performs Payload Functionality

28 How It Works 1. Bot Receives Message 2. Bot Decodes User Data Moves through PDU to User Data Decode 7 bit GSM to plaintext 3. Bot Checks for Bot Key 4. Bot Performs Payload Functionality

29 How It Works 1. Bot Receives Message 2. Bot Decodes User Data 3. Bot Checks for Bot Key Bot checks for secret key in message If bot message continue analysis If not bot message pass to user space 4. Bot Performs Payload Functionality

30 How It Works 1. Bot Receives Message 2. Bot Decodes User Data 3. Bot Checks for Bot Key 4. Bot Performs Payload Functionality Bot reads functionality request in message If found perform functionality If not found fail silently

31 Getting The Bot Installed Regular Users: App + Local Root Exploit (Sendpage etc.) Example: John Oberheide's Twilight Android Botnet Defcon Skytalks 2010 Root-level/Jailbroken Users: Root level app using proxy function for AWESOME + Bot Remote: Remote root exploit (rooted and nonrooted) Example: ikee-b Duh Worm for iphone

32 Example Payloads Spam Creating SMS-Send PDUs and passing them to the modem Example: SMS ads DDOS Millions of smartphones vs. a server Loading New Functionality Send URL in payload Download the module into known payloads

33 Parallel Research: iphone Base Code Rise of the ibots: Owning a Telco Network Collin Mulliner and Jean-Pierre Seifert SMS and P2P smartphone botnets

34 DEMO : ) Android Bot with SMS Spam Payload Released code has the bot without payloads (have fun)

35 Thanks To Mom for helping me master character arrays in c.

36 Contact Georgia Weidman Website: